Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - trdeal

Pages1 2
#1
26.1 Series / Re: Need to select "Prefer to use IPv4 even if IPv6 available" to upgrade to 26.1?
February 05, 2026, 04:55:44 PM
Hi,
The upstream router was the issue, it had a IPv6 Group object to route the IPv6 networks behind Opnsense but did not include the IPv6 object representing Opnsense FW. Updating the IPv6 Group object for routing and the problem was resolved. It was not DNS this time only human error :(

Run an Audit -> Connectivity
***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 26.1.1 (amd64) at Thu Feb  5 15:49:16 GMT 2026
Checking connectivity for host: pkg.opnsense.org -> 89.149.222.99
PING 89.149.222.99 (89.149.222.99): 1500 data bytes

--- 89.149.222.99 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
Checking connectivity for repository (IPv4): https://pkg.opnsense.org/FreeBSD:14:amd64/26.1
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching data.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 929 packages processed.
All repositories are up to date.
Checking connectivity for host: pkg.opnsense.org -> 2001:1af8:5300:a010:1::1
PING(1548=40+8+1500 bytes) 2a02:8010:d00d:1:8395:9cef:ffaa:d122 --> 2001:1af8:5300:a010:1::1
1508 bytes from 2001:1af8:5300:a010:1::1, icmp_seq=1 hlim=56 time=23.762 ms
1508 bytes from 2001:1af8:5300:a010:1::1, icmp_seq=2 hlim=56 time=24.991 ms
1508 bytes from 2001:1af8:5300:a010:1::1, icmp_seq=3 hlim=56 time=24.747 ms

--- 2001:1af8:5300:a010:1::1 ping statistics ---
4 packets transmitted, 3 packets received, 25.0% packet loss
round-trip min/avg/max/stddev = 23.762/24.500/24.991/0.531 ms
Checking connectivity for repository (IPv6): https://pkg.opnsense.org/FreeBSD:14:amd64/26.1
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching data.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 929 packages processed.
All repositories are up to date.
Checking server certificate for host: pkg.opnsense.org
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = AT, O = ZeroSSL, CN = ZeroSSL RSA Domain Secure Site CA
verify return:1
depth=0 CN = pkg.opnsense.org
verify return:1
DONE
***DONE***
#2
26.1 Series / Re: Need to select "Prefer to use IPv4 even if IPv6 available" to upgrade to 26.1?
February 05, 2026, 03:47:11 PM
Hi,
Opnsense is using a fixed IPv6 WAN address, so Prefix Delegation and SLAAC are not relevant.
#3
26.1 Series / Re: Need to select "Prefer to use IPv4 even if IPv6 available" to upgrade to 26.1?
February 05, 2026, 12:48:00 PM
Hi

My ISP has an MTU of 1492 bytes with the IPv6 standard specifying a minimum of 1280 bytes. For an IPv6 communication to take place the PMTU (Path Maximum Transmission Unit) needs to be discovered or configured as any packets that exceed the PMTU are dropped as IPv6 does not fragment packets the way that IPv4 does. So the PMTU must be determined for successful IPv6 communication to occur between hosts.
So while I have configured the MTU which works fine for IPv4 traffic from the opnsense and for IPv4/IPv6 tranffic traversing opnsense, however when opnsense attempts to make an IPv6 connection itself it is not honouring the MTU from which the PMTU should be defined. This appears to be a bug in opnsense not honouring the MTU (PMTU) value itself and generating too large a packet which will be dropped.
#4
26.1 Series / Re: Need to select "Prefer to use IPv4 even if IPv6 available" to upgrade to 26.1?
February 05, 2026, 11:40:31 AM
Hi
If I do not have MTU set to 1492 then I would lose IPv4 connectivity to the Internet, found this out after I switched from pfsense to Opnsense and forgot to set it on the WAN interface.
Using ssh to connect to opnsense I opened a shell and used ping

root@gw:~ # ping 89.149.222.99
PING 89.149.222.99 (89.149.222.99): 56 data bytes
64 bytes from 89.149.222.99: icmp_seq=0 ttl=54 time=22.515 ms
64 bytes from 89.149.222.99: icmp_seq=1 ttl=54 time=21.932 ms
64 bytes from 89.149.222.99: icmp_seq=2 ttl=54 time=22.901 ms
64 bytes from 89.149.222.99: icmp_seq=3 ttl=54 time=22.742 ms
64 bytes from 89.149.222.99: icmp_seq=4 ttl=54 time=22.489 ms
64 bytes from 89.149.222.99: icmp_seq=5 ttl=54 time=22.700 ms
64 bytes from 89.149.222.99: icmp_seq=6 ttl=54 time=22.553 ms
64 bytes from 89.149.222.99: icmp_seq=7 ttl=54 time=22.428 ms
64 bytes from 89.149.222.99: icmp_seq=8 ttl=54 time=22.512 ms
64 bytes from 89.149.222.99: icmp_seq=9 ttl=54 time=22.197 ms
^C
--- 89.149.222.99 ping statistics ---
10 packets transmitted, 10 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 21.932/22.497/22.901/0.261 ms
root@gw:~ # ping -6 2001:1af8:5300:a010:1::1
PING(56=40+8+8 bytes) 2a02:8010:d00d:1:8395:9cef:ffaa:d122 --> 2001:1af8:5300:a010:1::1
^C
--- 2001:1af8:5300:a010:1::1 ping statistics ---
26 packets transmitted, 0 packets received, 100.0% packet loss

The MSS setting on the WAN interface does not effect IPv6 pings they all fail.

From my desktop the same IPv6 ping to pkg.opnsense.org traversing opnsense (removed MSS value before test as this was the default setting)

$ ping -s 2001:1af8:5300:a010:1::1
PING 2001:1af8:5300:a010:1::1: 56 data bytes
64 bytes from 2001:1af8:5300:a010:1::1: icmp_seq=0. time=21.834 ms
64 bytes from 2001:1af8:5300:a010:1::1: icmp_seq=1. time=22.057 ms
64 bytes from 2001:1af8:5300:a010:1::1: icmp_seq=2. time=21.662 ms
64 bytes from 2001:1af8:5300:a010:1::1: icmp_seq=3. time=21.783 ms
64 bytes from 2001:1af8:5300:a010:1::1: icmp_seq=4. time=21.853 ms
64 bytes from 2001:1af8:5300:a010:1::1: icmp_seq=5. time=22.138 ms
64 bytes from 2001:1af8:5300:a010:1::1: icmp_seq=6. time=22.026 ms
^C
----2001:1af8:5300:a010:1::1 PING Statistics----
7 packets transmitted, 7 packets received, 0% packet loss
round-trip (ms)  min/avg/max/stddev = 21.662/21.908/22.138/0.170

#5
26.1 Series / Re: Need to select "Prefer to use IPv4 even if IPv6 available" to upgrade to 26.1?
February 05, 2026, 11:08:59 AM
Hi,
Run an Audit and selecting connectivity produces the following

***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 26.1.1 (amd64) at Thu Feb  5 09:46:54 GMT 2026
Checking connectivity for host: pkg.opnsense.org -> 89.149.222.99
PING 89.149.222.99 (89.149.222.99): 1500 data bytes

--- 89.149.222.99 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
Checking connectivity for repository (IPv4): https://pkg.opnsense.org/FreeBSD:14:amd64/26.1
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching data.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 929 packages processed.
All repositories are up to date.
Checking connectivity for host: pkg.opnsense.org -> 2001:1af8:5300:a010:1::1
PING(1548=40+8+1500 bytes) 2a02:8010:d00d:1:8395:9cef:ffaa:d122 --> 2001:1af8:5300:a010:1::1

--- 2001:1af8:5300:a010:1::1 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
Checking connectivity for repository (IPv6): https://pkg.opnsense.org/FreeBSD:14:amd64/26.1
Updating OPNsense repository catalogue...
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
repository OPNsense has no meta file, using default settings
pkg: An error occurred while fetching package: No error

What is interesting is that in my WAN interface I have specified the MTU to be 1492 and initially left the MSS blank and was curious to see the size of IPv6 ping in bytes.

However, I subsequently editted the WAN interface and set the MSS to 1492 and re-ran the Run An Audit, selecting connectivity but the IPv6 ping size is too large.

***GOT REQUEST TO AUDIT CONNECTIVITY***
Currently running OPNsense 26.1.1 (amd64) at Thu Feb  5 09:57:55 GMT 2026
Checking connectivity for host: pkg.opnsense.org -> 89.149.222.99
PING 89.149.222.99 (89.149.222.99): 1500 data bytes

--- 89.149.222.99 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
Checking connectivity for repository (IPv4): https://pkg.opnsense.org/FreeBSD:14:amd64/26.1
Updating OPNsense repository catalogue...
Fetching meta.conf: . done
Fetching data.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 929 packages processed.
All repositories are up to date.
Checking connectivity for host: pkg.opnsense.org -> 2001:1af8:5300:a010:1::1
PING(1548=40+8+1500 bytes) 2a02:8010:d00d:1:8395:9cef:ffaa:d122 --> 2001:1af8:5300:a010:1::1

--- 2001:1af8:5300:a010:1::1 ping statistics ---
4 packets transmitted, 0 packets received, 100.0% packet loss
Checking connectivity for repository (IPv6): https://pkg.opnsense.org/FreeBSD:14:amd64/26.1
Updating OPNsense repository catalogue...
pkg: An error occurred while fetching package: No error
pkg: An error occurred while fetching package: No error
repository OPNsense has no meta file, using default settings
pkg: An error occurred while fetching package: No error

From the linux computers in the house I can ping IPv4 or IPv6 successfully through the Opnsense firewall but the firewall itself is not honouring the MTU/MSS settings on the WAN interface and is thus failing in its IPv6 connectivity.
#6
26.1 Series / Re: Need to select "Prefer to use IPv4 even if IPv6 available" to upgrade to 26.1?
February 05, 2026, 10:46:26 AM
Hi,
Here is the Run an Audit selecting the Upgrade Log, unfortunately it does not show the multiple failed upgrades with "Prefer to use IPv4 even if IPv6 available" disabled. I have been checking the logs on the Firewall and the syslog server.

Updating OPNsense repository catalogue...
pkg-static: Repository OPNsense has a wrong packagesite, need to re-create database
Fetching meta.conf: . done
Fetching data.pkg: .......... done
Processing entries: .......... done
OPNsense repository update completed. 930 packages processed.
OPNsense is up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
OPNsense is up to date.
Checking for upgrades (207 candidates): .......... done
Processing candidates (207 candidates): .......... done
Checking integrity... done (1 conflicting)
- os-isc-dhcp-1.0_3 conflicts with opnsense-25.7.11_9 on /usr/local/etc/dhcpd.opnsense.d/README
Checking integrity... done (0 conflicting)
The following 207 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
dhcp6c: 20250513 -> 20260122
hostwatch: 1.0.6 -> 1.0.11
opnsense: 25.7.11_9 -> 26.1_4
opnsense-lang: 25.7.4 -> 26.1
opnsense-update: 25.7.11 -> 26.1
os-acme-client: 4.11 -> 4.12
os-isc-dhcp: 0.1 -> 1.0_3

Installed packages to be REINSTALLED:
abseil-20250127.1
acme.sh-3.1.2
bash-5.3.9
beep-1.0_2
bind-tools-9.20.16
boost-libs-1.89.0_1
brotli-1.2.0,1
ca_root_nss-3.117_2
choparp-20150613_1
cpdup-1.22_1
cpustats-0.1
curl-8.17.0
cyrus-sasl-2.1.28_5
cyrus-sasl-gssapi-2.1.28
dhcrelay-1.0
dmidecode-3.6
dnsmasq-2.91_1,1
dpinger-3.4
easy-rsa-3.2.4,1
expat-2.7.3
filterlog-0.7_2
flock-2.37.2_1
flowd-0.9.1_5
fstrm-0.6.1_1
gettext-runtime-0.26
glib-2.84.4,2
gmp-6.3.0
hostapd-2.11_3
hyperscan-5.4.2
icu-76.1,1
ifinfo-13.0_1
iftop-1.0.p4_1
indexinfo-0.3.1_1
isc-dhcp44-server-4.4.3P1_2
ivykis-0.43.2_1
jansson-2.14.1
jq-1.8.1
json-c-0.18
jsoncpp-1.9.6_1
kea-3.0.2
krb5-1.22.1
ldns-1.8.4
libargon2-20190702_1
libcbor-0.13.0
libedit-3.1.20251016_1,1
libevent-2.1.12
libffi-3.5.1
libfido2-1.16.0
libgcrypt-1.11.2
libgpg-error-1.58
libiconv-1.18_1
libidn2-2.3.8
libinotify-20240724_3
libltdl-2.5.4
liblz4-1.10.0_2,1
libmcrypt-2.5.8_4
libnet-1.3,1
libnghttp2-1.68.0
libpfctl-0.17
libpsl-0.21.5_2
libsodium-1.0.21
libucl-0.9.3
libunistring-1.4.1
liburcu-0.15.3
libuuid-2.41.1_1
libuv-1.51.0
libxml2-2.14.6
libxslt-1.1.43_1
libyaml-0.2.5
lighttpd-1.4.82
log4cplus-2.1.2
lua54-5.4.8
lzo2-2.10_1
monit-5.35.2
mpd5-5.9_19
mpdecimal-4.0.1
netdata-2.8.1_1
nettle-3.10.2
nspr-4.38.2
nss-3.119.1
ntp-4.2.8p18_5
oniguruma-6.9.10
openldap26-client-2.6.10
openssh-portable-10.2.p1_1,1
openssl-3.0.18,1
openvpn-2.6.17
opnsense-installer-25.1
os-dmidecode-1.2
os-netdata-1.2_1
os-smart-2.4
os-vnstat-1.3_1
pam_opnsense-24.1
pcre2-10.47_1
perl5-5.42.0_1
pftop-0.13
php83-8.3.28
php83-ctype-8.3.28
php83-curl-8.3.28
php83-dom-8.3.28
php83-filter-8.3.28
php83-gettext-8.3.28
php83-ldap-8.3.28
php83-mbstring-8.3.28
php83-pcntl-8.3.28
php83-pdo-8.3.28
php83-pear-1.10.16
php83-pear-Crypt_CHAP-1.5.0_1
php83-pecl-mcrypt-1.0.7
php83-pecl-radius-1.4.0b1_3
php83-phalcon-5.9.3
php83-phpseclib-3.0.48
php83-session-8.3.28
php83-simplexml-8.3.28
php83-sockets-8.3.28
php83-sqlite3-8.3.28
php83-xml-8.3.28
php83-zlib-8.3.28
pkcs11-helper-1.31.0
pkg-2.3.1_1
pkgconf-2.4.3,1
protobuf-29.5,1
protobuf-c-1.5.1_3
py311-Babel-2.17.0_1
py311-Jinja2-3.1.6
py311-aioquic-1.3.0_1
py311-anyio-4.12.0
py311-async_generator-1.10_1
py311-attrs-25.4.0
py311-beautifulsoup-4.13.4_2
py311-bottleneck-1.3.8_1
py311-certifi-2025.11.12
py311-cffi-1.17.1
py311-charset-normalizer-3.4.4
py311-cryptography-45.0.7_1,1
py311-dns-lexicon-3.23.2
py311-dnspython-2.8.0_1,1
py311-duckdb-1.3.2
py311-filelock-3.19.1
py311-h11-0.16.0
py311-h2-4.1.0_1
py311-hpack-4.0.0_1
py311-html5lib-1.1_1
py311-httpcore-1.0.9
py311-httpx-0.28.1_1
py311-hyperframe-6.0.0_1
py311-idna-3.11
py311-jq-1.10.0
py311-ldap3-2.9.1_1
py311-lxml-6.0.1
py311-markupsafe-3.0.3
py311-numexpr-2.14.1
py311-numpy-1.26.4_11,1
py311-outcome-1.3.0_2
py311-packaging-25.0
py311-pandas-2.3.3,1
py311-pyasn1-0.6.0
py311-pyasn1-modules-0.4.1
py311-pycparser-2.23
py311-pylsqpack-0.3.23
py311-pyopenssl-25.3.0_1,1
py311-pyotp-2.9.0_1
py311-pysocks-1.7.1_1
py311-python-dateutil-2.9.0
py311-pytz-2025.2_1,1
py311-pyyaml-6.0.3
py311-requests-2.32.5
py311-requests-file-2.0.0
py311-service-identity-24.2.0
py311-six-1.17.0
py311-sniffio-1.3.1
py311-socksio-1.0.0_1
py311-sortedcontainers-2.4.0_1
py311-soupsieve-2.8
py311-sqlite3-3.11.14_11
py311-tldextract-5.3.0
py311-trio-0.32.0
py311-truststore-0.10.4
py311-typing-extensions-4.15.0
py311-tzdata-2025.3
py311-ujson-5.11.0
py311-urllib3-2.6.0,1
py311-vici-6.0.3
py311-webencodings-0.5.1_1
python311-3.11.14
radvd-2.20
readline-8.3.1
rrdtool-1.9.0_1
samplicator-1.3.8.r1_1
smartmontools-7.5_1
socat-1.8.1.0
sqlite3-3.50.4_2,1
strongswan-6.0.3_1
sudo-1.9.17p2_2
suricata-8.0.3
syslog-ng-4.10.2
unbound-1.24.2
vnstat-2.13
wpa_supplicant-2.11_7
zip-3.0_4
zstd-1.5.7_1

Number of packages to be upgraded: 7
Number of packages to be reinstalled: 200
[1/207] Reinstalling abseil-20250127.1...
[1/207] Extracting abseil-20250127.1: .......... done
[2/207] Reinstalling beep-1.0_2...
[2/207] Extracting beep-1.0_2: ..... done
[3/207] Reinstalling brotli-1.2.0,1...
[3/207] Extracting brotli-1.2.0,1: .......... done
[4/207] Reinstalling ca_root_nss-3.117_2...
[4/207] Extracting ca_root_nss-3.117_2: ..... done
[5/207] Reinstalling choparp-20150613_1...
[5/207] Extracting choparp-20150613_1: ...... done
[6/207] Reinstalling cpustats-0.1...
[6/207] Extracting cpustats-0.1: . done
[7/207] Upgrading dhcp6c from 20250513 to 20260122...
[7/207] Extracting dhcp6c-20260122: ........ done
[8/207] Reinstalling dhcrelay-1.0...
[8/207] Extracting dhcrelay-1.0: ....... done
[9/207] Reinstalling dmidecode-3.6...
[9/207] Extracting dmidecode-3.6: .......... done
[10/207] Reinstalling dpinger-3.4...
[10/207] Extracting dpinger-3.4: .... done
[11/207] Reinstalling easy-rsa-3.2.4,1...
[11/207] Extracting easy-rsa-3.2.4,1: .......... done
[12/207] Reinstalling expat-2.7.3...
[12/207] Extracting expat-2.7.3: .......... done
[13/207] Reinstalling filterlog-0.7_2...
[13/207] Extracting filterlog-0.7_2: .... done
[14/207] Reinstalling flock-2.37.2_1...
[14/207] Extracting flock-2.37.2_1: ...... done
[15/207] Reinstalling flowd-0.9.1_5...
===> Creating groups
Using existing group '_flowd'
===> Creating users
Using existing user '_flowd'
[15/207] Extracting flowd-0.9.1_5: .......... done
[16/207] Upgrading hostwatch from 1.0.6 to 1.0.11...
===> Creating groups
Using existing group 'hostd'
===> Creating users
Using existing user 'hostd'
[16/207] Extracting hostwatch-1.0.11: ..... done
[17/207] Reinstalling hyperscan-5.4.2...
[17/207] Extracting hyperscan-5.4.2: .......... done
[18/207] Reinstalling icu-76.1,1...
[18/207] Extracting icu-76.1,1: .......... done
[19/207] Reinstalling ifinfo-13.0_1...
[19/207] Extracting ifinfo-13.0_1: .... done
[20/207] Reinstalling iftop-1.0.p4_1...
[20/207] Extracting iftop-1.0.p4_1: ..... done
[21/207] Reinstalling indexinfo-0.3.1_1...
[21/207] Extracting indexinfo-0.3.1_1: .... done
[22/207] Reinstalling bash-5.3.9...
[22/207] Extracting bash-5.3.9: .......... done
[23/207] Reinstalling gettext-runtime-0.26...
[23/207] Extracting gettext-runtime-0.26: .......... done
[24/207] Reinstalling gmp-6.3.0...
[24/207] Extracting gmp-6.3.0: .......... done
[25/207] Reinstalling ivykis-0.43.2_1...
[25/207] Extracting ivykis-0.43.2_1: .......... done
[26/207] Reinstalling jansson-2.14.1...
[26/207] Extracting jansson-2.14.1: .......... done
[27/207] Reinstalling json-c-0.18...
[27/207] Extracting json-c-0.18: .......... done
[28/207] Reinstalling jsoncpp-1.9.6_1...
[28/207] Extracting jsoncpp-1.9.6_1: .......... done
[29/207] Reinstalling libargon2-20190702_1...
[29/207] Extracting libargon2-20190702_1: .......... done
[30/207] Reinstalling libcbor-0.13.0...
[30/207] Extracting libcbor-0.13.0: .......... done
[31/207] Reinstalling libedit-3.1.20251016_1,1...
[31/207] Extracting libedit-3.1.20251016_1,1: .......... done
[32/207] Reinstalling libffi-3.5.1...
[32/207] Extracting libffi-3.5.1: .......... done
[33/207] Reinstalling libgpg-error-1.58...
[33/207] Extracting libgpg-error-1.58: .......... done
[34/207] Reinstalling libgcrypt-1.11.2...
[34/207] Extracting libgcrypt-1.11.2: .......... done
[35/207] Reinstalling libiconv-1.18_1...
[35/207] Extracting libiconv-1.18_1: .......... done
[36/207] Reinstalling libinotify-20240724_3...
[36/207] Extracting libinotify-20240724_3: .......... done
[37/207] Reinstalling libltdl-2.5.4...
[37/207] Extracting libltdl-2.5.4: .......... done
[38/207] Reinstalling liblz4-1.10.0_2,1...
[38/207] Extracting liblz4-1.10.0_2,1: .......... done
[39/207] Reinstalling libmcrypt-2.5.8_4...
[39/207] Extracting libmcrypt-2.5.8_4: .......... done
[40/207] Reinstalling libnet-1.3,1...
[40/207] Extracting libnet-1.3,1: .......... done
[41/207] Reinstalling libnghttp2-1.68.0...
[41/207] Extracting libnghttp2-1.68.0: .......... done
[42/207] Reinstalling libpfctl-0.17...
[42/207] Extracting libpfctl-0.17: ...... done
[43/207] Reinstalling libsodium-1.0.21...
[43/207] Extracting libsodium-1.0.21: .......... done
[44/207] Reinstalling libunistring-1.4.1...
[44/207] Extracting libunistring-1.4.1: .......... done
[45/207] Reinstalling libidn2-2.3.8...
[45/207] Extracting libidn2-2.3.8: .......... done
[46/207] Reinstalling libpsl-0.21.5_2...
[46/207] Extracting libpsl-0.21.5_2: .......... done
[47/207] Reinstalling liburcu-0.15.3...
[47/207] Extracting liburcu-0.15.3: .......... done
[48/207] Reinstalling libuuid-2.41.1_1...
[48/207] Extracting libuuid-2.41.1_1: .......... done
[49/207] Reinstalling libuv-1.51.0...
[49/207] Extracting libuv-1.51.0: .......... done
[50/207] Reinstalling libyaml-0.2.5...
[50/207] Extracting libyaml-0.2.5: ......... done
[51/207] Reinstalling log4cplus-2.1.2...
[51/207] Extracting log4cplus-2.1.2: .......... done
[52/207] Reinstalling lua54-5.4.8...
[52/207] Extracting lua54-5.4.8: ......... done
[53/207] Reinstalling libucl-0.9.3...
[53/207] Extracting libucl-0.9.3: .......... done
[54/207] Reinstalling lzo2-2.10_1...
[54/207] Extracting lzo2-2.10_1: .......... done
[55/207] Reinstalling mpd5-5.9_19...
[55/207] Extracting mpd5-5.9_19: .......... done
[56/207] Reinstalling mpdecimal-4.0.1...
[56/207] Extracting mpdecimal-4.0.1: .......... done
[57/207] Reinstalling nettle-3.10.2...
[57/207] Extracting nettle-3.10.2: .......... done
[58/207] Reinstalling dnsmasq-2.91_1,1...
[58/207] Extracting dnsmasq-2.91_1,1: .......... done
[59/207] Reinstalling nspr-4.38.2...
[59/207] Extracting nspr-4.38.2: .......... done
[60/207] Reinstalling oniguruma-6.9.10...
[60/207] Extracting oniguruma-6.9.10: .......... done
[61/207] Reinstalling jq-1.8.1...
[61/207] Extracting jq-1.8.1: .......... done
[62/207] Reinstalling openssl-3.0.18,1...
[62/207] Extracting openssl-3.0.18,1: .......... done
[63/207] Reinstalling cpdup-1.22_1...
[63/207] Extracting cpdup-1.22_1: ..... done
[64/207] Reinstalling cyrus-sasl-2.1.28_5...
*** Updated user `cyrus'.
[64/207] Extracting cyrus-sasl-2.1.28_5: .......... done
[65/207] Reinstalling hostapd-2.11_3...
[65/207] Extracting hostapd-2.11_3: ....... done
[66/207] Reinstalling ldns-1.8.4...
[66/207] Extracting ldns-1.8.4: .......... done
[67/207] Reinstalling libevent-2.1.12...
[67/207] Extracting libevent-2.1.12: .......... done
[68/207] Reinstalling fstrm-0.6.1_1...
[68/207] Extracting fstrm-0.6.1_1: .......... done
[69/207] Reinstalling libfido2-1.16.0...
[69/207] Extracting libfido2-1.16.0: .......... done
[70/207] Reinstalling monit-5.35.2...
[70/207] Extracting monit-5.35.2: ....... done
[71/207] Reinstalling openssh-portable-10.2.p1_1,1...
[71/207] Extracting openssh-portable-10.2.p1_1,1: .......... done
[72/207] Reinstalling opnsense-installer-25.1...
[72/207] Extracting opnsense-installer-25.1: .......... done
[73/207] Upgrading opnsense-lang from 25.7.4 to 26.1...
[73/207] Extracting opnsense-lang-26.1: .......... done
[74/207] Upgrading opnsense-update from 25.7.11 to 26.1...
[74/207] Extracting opnsense-update-26.1: .......... done
[75/207] Reinstalling os-dmidecode-1.2...
[75/207] Extracting os-dmidecode-1.2: ...... done
configd not running? (check /var/run/configd.pid).
Starting configd.
Reloading plugin configuration
Flushing all caches...done.
Configuring system logging...done.
[76/207] Reinstalling pam_opnsense-24.1...
[76/207] Extracting pam_opnsense-24.1: ........ done
[77/207] Reinstalling pcre2-10.47_1...
[77/207] Extracting pcre2-10.47_1: .......... done
[78/207] Reinstalling lighttpd-1.4.82...
===> Creating groups
Using existing group 'www'
===> Creating users
Using existing user 'www'
[78/207] Extracting lighttpd-1.4.82: .......... done
[79/207] Reinstalling perl5-5.42.0_1...
[79/207] Extracting perl5-5.42.0_1: .......... done
[80/207] Reinstalling ntp-4.2.8p18_5...
[80/207] Extracting ntp-4.2.8p18_5: .......... done
[81/207] Reinstalling pftop-0.13...
[81/207] Extracting pftop-0.13: ..... done
[82/207] Reinstalling pkcs11-helper-1.31.0...
[82/207] Extracting pkcs11-helper-1.31.0: .......... done
[83/207] Reinstalling openvpn-2.6.17...
===> Creating groups
Using existing group 'openvpn'
===> Creating users
Using existing user 'openvpn'
[83/207] Extracting openvpn-2.6.17: .......... done
[84/207] Reinstalling pkg-2.3.1_1...
[84/207] Extracting pkg-2.3.1_1: .......... done
[85/207] Reinstalling pkgconf-2.4.3,1...
[85/207] Extracting pkgconf-2.4.3,1: .......... done
[86/207] Reinstalling protobuf-29.5,1...
[86/207] Extracting protobuf-29.5,1: .......... done
[87/207] Reinstalling protobuf-c-1.5.1_3...
[87/207] Extracting protobuf-c-1.5.1_3: .......... done
[88/207] Reinstalling bind-tools-9.20.16...
[88/207] Extracting bind-tools-9.20.16: .......... done
[89/207] Reinstalling radvd-2.20...
[89/207] Extracting radvd-2.20: .......... done
[90/207] Reinstalling readline-8.3.1...
[90/207] Extracting readline-8.3.1: .......... done
[91/207] Reinstalling krb5-1.22.1...
[91/207] Extracting krb5-1.22.1: .......... done
[92/207] Reinstalling cyrus-sasl-gssapi-2.1.28...
[92/207] Extracting cyrus-sasl-gssapi-2.1.28: .......... done
[93/207] Reinstalling libxml2-2.14.6...
[93/207] Extracting libxml2-2.14.6: .......... done
[94/207] Reinstalling libxslt-1.1.43_1...
[94/207] Extracting libxslt-1.1.43_1: .......... done
[95/207] Reinstalling openldap26-client-2.6.10...
[95/207] Extracting openldap26-client-2.6.10: .......... done
[96/207] Reinstalling php83-8.3.28...
[96/207] Extracting php83-8.3.28: .......... done
[97/207] Reinstalling php83-ctype-8.3.28...
[97/207] Extracting php83-ctype-8.3.28: ........ done
[98/207] Reinstalling php83-dom-8.3.28...
[98/207] Extracting php83-dom-8.3.28: .......... done
[99/207] Reinstalling php83-filter-8.3.28...
[99/207] Extracting php83-filter-8.3.28: ......... done
[100/207] Reinstalling php83-gettext-8.3.28...
[100/207] Extracting php83-gettext-8.3.28: ........ done
[101/207] Reinstalling php83-ldap-8.3.28...
[101/207] Extracting php83-ldap-8.3.28: ........ done
[102/207] Reinstalling php83-mbstring-8.3.28...
[102/207] Extracting php83-mbstring-8.3.28: .......... done
[103/207] Reinstalling php83-pcntl-8.3.28...
[103/207] Extracting php83-pcntl-8.3.28: ......... done
[104/207] Reinstalling php83-pdo-8.3.28...
[104/207] Extracting php83-pdo-8.3.28: .......... done
[105/207] Reinstalling php83-pecl-mcrypt-1.0.7...
[105/207] Extracting php83-pecl-mcrypt-1.0.7: ........ done
[106/207] Reinstalling php83-pecl-radius-1.4.0b1_3...
[106/207] Extracting php83-pecl-radius-1.4.0b1_3: .......... done
[107/207] Reinstalling php83-phpseclib-3.0.48...
[107/207] Extracting php83-phpseclib-3.0.48: ......... done
[108/207] Reinstalling php83-session-8.3.28...
[108/207] Extracting php83-session-8.3.28: .......... done
[109/207] Reinstalling php83-phalcon-5.9.3...
[109/207] Extracting php83-phalcon-5.9.3: ........ done
[110/207] Reinstalling php83-simplexml-8.3.28...
[110/207] Extracting php83-simplexml-8.3.28: ......... done
[111/207] Reinstalling php83-sockets-8.3.28...
[111/207] Extracting php83-sockets-8.3.28: .......... done
[112/207] Reinstalling php83-xml-8.3.28...
[112/207] Extracting php83-xml-8.3.28: ......... done
[113/207] Reinstalling php83-zlib-8.3.28...
[113/207] Extracting php83-zlib-8.3.28: ........ done
[114/207] Reinstalling php83-pear-1.10.16...
[114/207] Extracting php83-pear-1.10.16: .......... done
[115/207] Reinstalling php83-pear-Crypt_CHAP-1.5.0_1...
[115/207] Extracting php83-pear-Crypt_CHAP-1.5.0_1: ...... done
uninstall ok: channel://pear.php.net/Crypt_CHAP-1.5.0
install ok: channel://pear.php.net/Crypt_CHAP-1.5.0
[116/207] Reinstalling python311-3.11.14...
[116/207] Extracting python311-3.11.14: .......... done
[117/207] Reinstalling py311-Babel-2.17.0_1...
[117/207] Extracting py311-Babel-2.17.0_1: .......... done
[118/207] Reinstalling py311-async_generator-1.10_1...
[118/207] Extracting py311-async_generator-1.10_1: .......... done
[119/207] Reinstalling py311-attrs-25.4.0...
[119/207] Extracting py311-attrs-25.4.0: .......... done
[120/207] Reinstalling py311-certifi-2025.11.12...
[120/207] Extracting py311-certifi-2025.11.12: .......... done
[121/207] Reinstalling py311-charset-normalizer-3.4.4...
[121/207] Extracting py311-charset-normalizer-3.4.4: .......... done
[122/207] Reinstalling py311-filelock-3.19.1...
[122/207] Extracting py311-filelock-3.19.1: .......... done
[123/207] Reinstalling py311-h11-0.16.0...
[123/207] Extracting py311-h11-0.16.0: .......... done
[124/207] Reinstalling py311-hpack-4.0.0_1...
[124/207] Extracting py311-hpack-4.0.0_1: .......... done
[125/207] Reinstalling py311-hyperframe-6.0.0_1...
[125/207] Extracting py311-hyperframe-6.0.0_1: .......... done
[126/207] Reinstalling py311-h2-4.1.0_1...
[126/207] Extracting py311-h2-4.1.0_1: .......... done
[127/207] Reinstalling py311-idna-3.11...
[127/207] Extracting py311-idna-3.11: .......... done
[128/207] Reinstalling py311-lxml-6.0.1...
[128/207] Extracting py311-lxml-6.0.1: .......... done
[129/207] Reinstalling py311-markupsafe-3.0.3...
[129/207] Extracting py311-markupsafe-3.0.3: .......... done
[130/207] Reinstalling py311-Jinja2-3.1.6...
[130/207] Extracting py311-Jinja2-3.1.6: .......... done
[131/207] Reinstalling py311-numpy-1.26.4_11,1...
[131/207] Extracting py311-numpy-1.26.4_11,1: .......... done
[132/207] Reinstalling py311-bottleneck-1.3.8_1...
[132/207] Extracting py311-bottleneck-1.3.8_1: .......... done
[133/207] Reinstalling py311-numexpr-2.14.1...
[133/207] Extracting py311-numexpr-2.14.1: .......... done
[134/207] Reinstalling py311-outcome-1.3.0_2...
[134/207] Extracting py311-outcome-1.3.0_2: .......... done
[135/207] Reinstalling py311-packaging-25.0...
[135/207] Extracting py311-packaging-25.0: .......... done
[136/207] Reinstalling glib-2.84.4,2...
[136/207] Extracting glib-2.84.4,2: .......... done
[137/207] Reinstalling py311-pyasn1-0.6.0...
[137/207] Extracting py311-pyasn1-0.6.0: .......... done
[138/207] Reinstalling py311-ldap3-2.9.1_1...
[138/207] Extracting py311-ldap3-2.9.1_1: .......... done
[139/207] Reinstalling py311-pyasn1-modules-0.4.1...
[139/207] Extracting py311-pyasn1-modules-0.4.1: .......... done
[140/207] Reinstalling py311-pycparser-2.23...
[140/207] Extracting py311-pycparser-2.23: .......... done
[141/207] Reinstalling py311-cffi-1.17.1...
[141/207] Extracting py311-cffi-1.17.1: .......... done
[142/207] Reinstalling py311-cryptography-45.0.7_1,1...
[142/207] Extracting py311-cryptography-45.0.7_1,1: .......... done
[143/207] Reinstalling py311-pylsqpack-0.3.23...
[143/207] Extracting py311-pylsqpack-0.3.23: .......... done
[144/207] Reinstalling py311-pyotp-2.9.0_1...
[144/207] Extracting py311-pyotp-2.9.0_1: .......... done
[145/207] Reinstalling py311-pysocks-1.7.1_1...
[145/207] Extracting py311-pysocks-1.7.1_1: .......... done
[146/207] Reinstalling py311-pytz-2025.2_1,1...
[146/207] Extracting py311-pytz-2025.2_1,1: .......... done
[147/207] Reinstalling py311-pyyaml-6.0.3...
[147/207] Extracting py311-pyyaml-6.0.3: .......... done
[148/207] Reinstalling py311-service-identity-24.2.0...
[148/207] Extracting py311-service-identity-24.2.0: .......... done
[149/207] Reinstalling py311-six-1.17.0...
[149/207] Extracting py311-six-1.17.0: .......... done
[150/207] Reinstalling py311-python-dateutil-2.9.0...
[150/207] Extracting py311-python-dateutil-2.9.0: .......... done
[151/207] Reinstalling py311-sniffio-1.3.1...
[151/207] Extracting py311-sniffio-1.3.1: .......... done
[152/207] Reinstalling py311-socksio-1.0.0_1...
[152/207] Extracting py311-socksio-1.0.0_1: .......... done
[153/207] Reinstalling py311-sortedcontainers-2.4.0_1...
[153/207] Extracting py311-sortedcontainers-2.4.0_1: .......... done
[154/207] Reinstalling py311-soupsieve-2.8...
[154/207] Extracting py311-soupsieve-2.8: .......... done
[155/207] Reinstalling py311-trio-0.32.0...
[155/207] Extracting py311-trio-0.32.0: .......... done
[156/207] Reinstalling py311-truststore-0.10.4...
[156/207] Extracting py311-truststore-0.10.4: .......... done
[157/207] Reinstalling py311-typing-extensions-4.15.0...
[157/207] Extracting py311-typing-extensions-4.15.0: .......... done
[158/207] Reinstalling py311-anyio-4.12.0...
[158/207] Extracting py311-anyio-4.12.0: .......... done
[159/207] Reinstalling py311-httpcore-1.0.9...
[159/207] Extracting py311-httpcore-1.0.9: .......... done
[160/207] Reinstalling py311-httpx-0.28.1_1...
[160/207] Extracting py311-httpx-0.28.1_1: .......... done
[161/207] Reinstalling py311-pyopenssl-25.3.0_1,1...
[161/207] Extracting py311-pyopenssl-25.3.0_1,1: .......... done
[162/207] Reinstalling py311-aioquic-1.3.0_1...
[162/207] Extracting py311-aioquic-1.3.0_1: .......... done
[163/207] Reinstalling py311-dnspython-2.8.0_1,1...
[163/207] Extracting py311-dnspython-2.8.0_1,1: .......... done
[164/207] Reinstalling py311-tzdata-2025.3...
[164/207] Extracting py311-tzdata-2025.3: .......... done
[165/207] Reinstalling py311-ujson-5.11.0...
[165/207] Extracting py311-ujson-5.11.0: .......... done
[166/207] Reinstalling py311-urllib3-2.6.0,1...
[166/207] Extracting py311-urllib3-2.6.0,1: .......... done
[167/207] Reinstalling py311-requests-2.32.5...
[167/207] Extracting py311-requests-2.32.5: .......... done
[168/207] Reinstalling py311-jq-1.10.0...
[168/207] Extracting py311-jq-1.10.0: ........ done
[169/207] Reinstalling py311-requests-file-2.0.0...
[169/207] Extracting py311-requests-file-2.0.0: .......... done
[170/207] Reinstalling py311-tldextract-5.3.0...
[170/207] Extracting py311-tldextract-5.3.0: .......... done
[171/207] Reinstalling py311-vici-6.0.3...
[171/207] Extracting py311-vici-6.0.3: .......... done
[172/207] Reinstalling py311-webencodings-0.5.1_1...
[172/207] Extracting py311-webencodings-0.5.1_1: .......... done
[173/207] Reinstalling py311-html5lib-1.1_1...
[173/207] Extracting py311-html5lib-1.1_1: .......... done
[174/207] Reinstalling py311-beautifulsoup-4.13.4_2...
[174/207] Extracting py311-beautifulsoup-4.13.4_2: .......... done
[175/207] Reinstalling py311-dns-lexicon-3.23.2...
[175/207] Extracting py311-dns-lexicon-3.23.2: .......... done
[176/207] Reinstalling rrdtool-1.9.0_1...
[176/207] Extracting rrdtool-1.9.0_1: .......... done
[177/207] Reinstalling samplicator-1.3.8.r1_1...
[177/207] Extracting samplicator-1.3.8.r1_1: ..... done
[178/207] Reinstalling smartmontools-7.5_1...
[178/207] Extracting smartmontools-7.5_1: .......... done
[179/207] Reinstalling os-smart-2.4...
[179/207] Extracting os-smart-2.4: .......... done
Stopping configd...done
Starting configd.
Reloading plugin configuration
Flushing all caches...done.
Configuring system logging...done.
[180/207] Reinstalling socat-1.8.1.0...
[180/207] Extracting socat-1.8.1.0: ......... done
[181/207] Reinstalling sqlite3-3.50.4_2,1...
[181/207] Extracting sqlite3-3.50.4_2,1: .......... done
[182/207] Reinstalling nss-3.119.1...
[182/207] Extracting nss-3.119.1: .......... done
[183/207] Reinstalling php83-sqlite3-8.3.28...
[183/207] Extracting php83-sqlite3-8.3.28: ......... done
[184/207] Reinstalling py311-sqlite3-3.11.14_11...
[184/207] Extracting py311-sqlite3-3.11.14_11: ......... done
[185/207] Reinstalling py311-pandas-2.3.3,1...
[185/207] Extracting py311-pandas-2.3.3,1: .......... done
[186/207] Reinstalling py311-duckdb-1.3.2...
[186/207] Extracting py311-duckdb-1.3.2: .......... done
[187/207] Reinstalling sudo-1.9.17p2_2...
[187/207] Extracting sudo-1.9.17p2_2: .......... done
[188/207] Reinstalling suricata-8.0.3...
[188/207] Extracting suricata-8.0.3: .......... done
[189/207] Reinstalling unbound-1.24.2...
===> Creating groups
Using existing group 'unbound'
===> Creating users
Using existing user 'unbound'
[189/207] Extracting unbound-1.24.2: .......... done
[190/207] Reinstalling vnstat-2.13...
===> Creating groups
Using existing group 'vnstat'
===> Creating users
Using existing user 'vnstat'
[190/207] Extracting vnstat-2.13: .......... done
[191/207] Reinstalling os-vnstat-1.3_1...
[191/207] Extracting os-vnstat-1.3_1: .......... done
Stopping configd...done
Starting configd.
Reloading plugin configuration
Flushing all caches...done.
Configuring system logging...done.
Reloading template OPNsense/Vnstat: OK
[192/207] Reinstalling wpa_supplicant-2.11_7...
[192/207] Extracting wpa_supplicant-2.11_7: .......... done
[193/207] Reinstalling zip-3.0_4...
[193/207] Extracting zip-3.0_4: .......... done
[194/207] Reinstalling zstd-1.5.7_1...
[194/207] Extracting zstd-1.5.7_1: .......... done
[195/207] Reinstalling boost-libs-1.89.0_1...
[195/207] Extracting boost-libs-1.89.0_1: .......... done
[196/207] Reinstalling curl-8.17.0...
[196/207] Extracting curl-8.17.0: .......... done
[197/207] Reinstalling acme.sh-3.1.2...
===> Creating groups
Using existing group 'acme'
===> Creating users
Using existing user 'acme'
===> Creating homedir(s)
[197/207] Extracting acme.sh-3.1.2: .......... done
[198/207] Reinstalling kea-3.0.2...
[198/207] Extracting kea-3.0.2: .......... done
[199/207] Reinstalling netdata-2.8.1_1...
===> Creating groups
Using existing group 'netdata'
===> Creating users
Using existing user 'netdata'
===> Creating homedir(s)
[199/207] Extracting netdata-2.8.1_1: .......... done
[200/207] Upgrading os-acme-client from 4.11 to 4.12...
[200/207] Extracting os-acme-client-4.12: .......... done
Stopping configd...done
Starting configd.
Reloading plugin configuration
Flushing all caches...done.
Configuring system logging...done.
Reloading template OPNsense/AcmeClient: OK
[201/207] Reinstalling os-netdata-1.2_1...
[201/207] Extracting os-netdata-1.2_1: .......... done
Stopping configd...done
Starting configd.
Reloading plugin configuration
Flushing all caches...done.
Configuring system logging...done.
Reloading template OPNsense/Netdata: OK
[202/207] Reinstalling php83-curl-8.3.28...
[202/207] Extracting php83-curl-8.3.28: .......... done
[203/207] Reinstalling strongswan-6.0.3_1...
[203/207] Extracting strongswan-6.0.3_1: .......... done
[204/207] Reinstalling syslog-ng-4.10.2...
[204/207] Extracting syslog-ng-4.10.2: .......... done
[205/207] Upgrading opnsense from 25.7.11_9 to 26.1_4...
[205/207] Extracting opnsense-26.1_4: .......... done
Stopping configd...done
Resetting root shell
Updating /etc/shells
Unhooking from /etc/rc
Unhooking from /etc/rc.shutdown
Updating /etc/shells
Registering root shell
Hooking into /etc/rc
Hooking into /etc/rc.shutdown
Starting configd.
>>> Invoking update script 'refresh.sh'
Migrated OPNsense\Radvd\Radvd from 0.0.0 to 1.0.0
Migrated OPNsense\IDS\IDS from 1.1.1 to 1.1.2
Migrated OPNsense\Interfaces\Settings from 0.0.0 to 1.0.0
Migrated OPNsense\Firewall\DNat
Flushing all caches...done.
Writing firmware settings: FreeBSD OPNsense
Writing trust files...done.
Scanning /usr/share/certs/untrusted for certificates...
Scanning /usr/share/certs/trusted for certificates...
Scanning /usr/local/share/certs for certificates...
certctl: Modified 192 trust store links.
Writing trust bundles...done.
Configuring login behaviour...done.
Configuring cron...done.
Configuring system logging...done.
[206/207] Reinstalling isc-dhcp44-server-4.4.3P1_2...
===> Creating groups
Using existing group 'dhcpd'
===> Creating users
Using existing user 'dhcpd'
[206/207] Extracting isc-dhcp44-server-4.4.3P1_2: .......... done
[207/207] Upgrading os-isc-dhcp from 0.1 to 1.0_3...
[207/207] Extracting os-isc-dhcp-1.0_3: .......... done
Stopping configd...done
Starting configd.
Reloading plugin configuration
Flushing all caches...done.
Configuring system logging...done.
Reloading template OPNsense/Syslog: OK
==> Running trigger: gio-modules.ucl
Generating GIO modules cache
==> Running trigger: glib-schemas.ucl
Compiling glib schemas
No schema files found: doing nothing.
You may need to manually remove /usr/local/etc/ssl/cert.pem if it is no longer needed.
You may need to manually remove /usr/local/etc/dnsmasq.conf if it is no longer needed.
=====
Message from dnsmasq-2.91_1,1:

--
To enable dnsmasq, edit /usr/local/etc/dnsmasq.conf and
set dnsmasq_enable="YES" in /etc/rc.conf[.local]

Further options and actions are documented inside
/usr/local/etc/rc.d/dnsmasq


NOTE: when using dnssec, inaccurate system clocks
can cause DNS resolution to fail
because DNSSEC signatures may then not validate.


SECURITY RECOMMENDATION
~~~~~~~~~~~~~~~~~~~~~~~
It is recommended to enable the wpad-related options
at the end of the configuration file (you may need to
copy them from the example file to yours) to fix
CERT Vulnerability VU#598349.
=====
Message from oniguruma-6.9.10:

--
===> NOTICE:

This port is deprecated; you may wish to reconsider installing it:

Project archived upstream.

It is scheduled to be removed on or after 2026-12-01.
You may need to manually remove /usr/local/openssl/openssl.cnf if it is no longer needed.
You may need to manually remove /usr/local/etc/ssh/sshd_config if it is no longer needed.
=====
Message from openvpn-2.6.17:

--
Note that OpenVPN now configures a separate user and group "openvpn",
which should be used instead of the NFS user "nobody"
when an unprivileged user account is desired.

It is advisable to review existing configuration files and
to consider adding/changing user openvpn and group openvpn.
=====
Message from py311-urllib3-2.6.0,1:

--
Since version 1.25 HTTPS connections are now verified by default which is done
via "cert_reqs = 'CERT_REQUIRED'". While certificate verification can be
disabled via "cert_reqs = 'CERT_NONE'", it's highly recommended to leave it on.

Various consumers of net/py-urllib3 already have implemented routines that
either explicitly enable or disable HTTPS certificate verification (e.g. via
configuration settings, CLI arguments, etc.).

Yet it may happen that there are still some consumers which don't explicitly
enable/disable certificate verification for HTTPS connections which could then
lead to errors (as is often the case with self-signed certificates).

In case of an error one should try first to temporarily disable certificate
verification of the problematic urllib3 consumer to see if that approach will
remedy the issue.
You may need to manually remove /usr/local/etc/suricata/classification.config if it is no longer needed.
You may need to manually remove /usr/local/etc/suricata/reference.config if it is no longer needed.
You may need to manually remove /usr/local/etc/suricata/suricata.yaml if it is no longer needed.
You may need to manually remove /usr/local/etc/vnstat.conf if it is no longer needed.
=====
Message from acme.sh-3.1.2:

--
In versions < 3.0.5_1, sample newsyslog files were installed to

/usr/local/etc/newsyslog.d/acme.sh

Now they are installed to:

/usr/local/etc/newsyslog.conf.d/acme.sh.conf

You may wish to delete the old files/directory and edit the new files to
enable the log rotation. Instructions contained within.
You may need to manually remove /usr/local/etc/kea/kea-ctrl-agent.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/kea/kea-dhcp4.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/kea/kea-dhcp6.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/kea/keactrl.conf if it is no longer needed.
You may need to manually remove /usr/local/etc/netdata/netdata.conf if it is no longer needed.
=====
Message from strongswan-6.0.3_1:

--
The default strongSwan configuration interface have been updated to vici.
To use the stroke interface by default either compile the port without the vici option or
set 'strongswan_interface="stroke"' in your rc.conf file.
You may need to manually remove /usr/local/etc/syslog-ng.conf if it is no longer needed.
=====
Message from opnsense-26.1_4:

--
One step ahead, one step behind it, now you gotta run to get even
Checking all packages: .......... done
#7
26.1 Series / Re: Need to select "Prefer to use IPv4 even if IPv6 available" to upgrade to 26.1?
February 04, 2026, 07:28:56 PM
Thanks for the feedback, however I never had a problem with IPv6 connectivity in 11 years except with pfsense and now Opnsense (same problem with major upgrades), while upgrades within a major release never cause an issue with "Prefer to use IPv4 even if IPv6 available" disabled.
 
#8
26.1 Series / Need to select "Prefer to use IPv4 even if IPv6 available" to upgrade to 26.1?
February 04, 2026, 07:05:54 AM
Hi,
After trying to upgrade to 26.1 even using Option 12 on the console and it failing with truncated .sig files. After googling I found a suggestion to enable "Prefer to use IPv4 even if IPv6 available" immediately doing this the upgrade process was completely different when this option was not selected. A summary of the upgrade and its changed appeared which appears to be hosted on github based on forum post did not appear when the option was not selected. When I perform a dig for github.com it does not have an IPv6 address which explains why it did not appear.

dig @8.8.8.8 github.com aaaa

; <<>> DiG 9.18.42 <<>> @8.8.8.8 github.com aaaa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26887
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;github.com.                    IN      AAAA

;; AUTHORITY SECTION:
github.com.             1112    IN      SOA     dns1.p08.nsone.net. hostmaster.nsone.net. 1656468023 43200 7200 1209600 3600

;; Query time: 16 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Wed Feb 04 05:54:38 GMT 2026
;; MSG SIZE  rcvd: 104

Is there any possibility to IPv6 support incorporated into the upgrade process so that "Prefer to use IPv4 even if IPv6 available" is not required in the future to perform an upgrade. Just to put things into context IPv6 traffic arriving at google.com peaked at 49.57% so far this year, it was 46.43% in January 2025. https://www.google.com/intl/en/ipv6/statistics.html

#9
25.7, 25.10 Series / Re: Reporting -> Insight -> Totals tab add option to show network registration name
October 18, 2025, 12:02:29 PM
After a bit of research the following does appear to produce consistent results by selecting JSON output.
Write to temporary file to minimise calls to rdap

$ rdap -j -t ip <random-ip>  > /tmp/RDAP

Registrant     $ cat /tmp/RDAP | jq '.remarks | .[] .description'
Country        $ cat /tmp/RDAP | jq '.country'
Start IP         $ cat /tmp/RDAP | jq '.startaddress'
End IP          $ cat /tmp/RDAP | jq '.endAddress'

#10
25.7, 25.10 Series / Re: Reporting -> Insight -> Totals tab add option to show network registration name
October 18, 2025, 12:19:07 AM
 I found that the registrant details could be obtained using the following filter "grep fn"

$ rdap -t ip <random ip> | grep fn

Unfortunately while multiple lines are returned, in most cases the 1st line is the Registrant Name
 
$ rdap -t ip <random ip> | grep fn | head -n 1

However this is not always the case, with some Registrants it is the 2nd or 3rd line where the Registrant Name is provided
#11
25.7, 25.10 Series / Re: Reporting -> Insight -> Totals tab add option to show network registration name
October 17, 2025, 05:22:28 PM
All requests globally can be achieved via a web query to https://rdap.org/<query-type>/<query> or more likely if using the linux rdap cli tool does the https query for you. All that is required for example "rdap -t ip <ipv4/ipv6 address>

$ rdap -h
OpenRDAP v0.9.1
(www.openrdap.org)

Usage: rdap [OPTIONS] DOMAIN|IP|ASN|ENTITY|NAMESERVER|RDAP-URL
  e.g. rdap example.cz
       rdap 192.0.2.0
       rdap 2001:db8::
       rdap AS2856
       rdap https://rdap.nic.cz/domain/example.cz

       rdap -f registrant -f administrative -f billing amazon.com.br
       rdap --json https://rdap.nic.cz/domain/example.cz
       rdap -s https://rdap.nic.cz -t help

Options:
  -h, --help          Show help message.
  -v, --verbose       Print verbose messages on STDERR.

  -T, --timeout=SECS  Timeout after SECS seconds (default: 30).
  -k, --insecure      Disable SSL certificate verification.

  -e, --experimental  Enable some experimental options:
                      - Use the bootstrap service https://test.rdap.net/rdap
                      - Enable object tag support

Authentication options:
  -P, --p12=cert.p12[:password] Use client certificate & private key (PKCS#12 format)
or:
  -C, --cert=cert.pem           Use client certificate (PEM format)
  -K, --key=cert.key            Use client private key (PEM format)

Output Options:
      --text          Output RDAP, plain text "tree" format (default).
  -w, --whois         Output WHOIS style (domain queries only).
  -j, --json          Output JSON, pretty-printed format.
  -r, --raw           Output the raw server response.

Advanced options (query):
  -s  --server=URL    RDAP server to query.
  -t  --type=TYPE     RDAP query type. Normally auto-detected. The types are:
                      - ip
                      - domain
                      - autnum
                      - nameserver
                      - entity
                      - help
                      - url
                      - domain-search
                      - domain-search-by-nameserver
                      - domain-search-by-nameserver-ip
                      - nameserver-search
                      - nameserver-search-by-ip
                      - entity-search
                      - entity-search-by-handle
                      The servers for domain, ip, autnum, url queries can be
                      determined automatically. Otherwise, the RDAP server
                      (--server=URL) must be specified.

Advanced options (bootstrapping):
      --cache-dir=DIR Bootstrap cache directory to use. Specify empty string
                      to disable bootstrap caching. The directory is created
                      automatically as needed. (default: $HOME/.openrdap).
      --bs-url=URL    Bootstrap service URL (default: https://data.iana.org/rdap)
      --bs-ttl=SECS   Bootstrap cache time in seconds (default: 3600)

Advanced options (experiments):
      --exp=test_rdap_net  Use the bootstrap service https://test.rdap.net/rdap
      --exp=object_tag     Enable object tag support
                           (draft-hollenbeck-regext-rdap-object-tag)

As you can see the rdap command has many options and rdap is the replacement for whois.
The key information for display is the Network Registrant in the tab, if an IP address is associated with a large corporation like Microsoft then traffic can be categorised by Organisation.
#12
25.7, 25.10 Series / Reporting -> Insight -> Totals tab add option to show network registration name
October 17, 2025, 02:05:28 PM
Within the Reporting -> Insight -> Totals, add an additional option "Reverse Network Owner" so that when checked a Registration Data Access Protocol (RDAP) is made to retrieve the details of the Network registered user.  Here is the output of rdap

# rdap -t ip 34.117.223.223
IP Network:
  Handle: NET-34-64-0-0-1
  Start Address: 34.64.0.0
  End Address: 34.127.255.255
  IP Version: v4
  Name: GOOGL-2
  Type: DIRECT ALLOCATION
  ParentHandle: NET-34-0-0-0-0
  Status: active
  Port43: whois.arin.net
  Notice:
    Title: Terms of Service
    Description: By using the ARIN RDAP/Whois service, you are agreeing to the RDAP/Whois Terms of Use
    Link: https://www.arin.net/resources/registry/whois/tou/
  Notice:
    Title: Whois Inaccuracy Reporting
    Description: If you see inaccuracies in the results, please visit:
    Link: https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
  Notice:
    Title: Copyright Notice
    Description: Copyright 1997-2025, American Registry for Internet Numbers, Ltd.
  Entity:
    Handle: GOOGL-2
    Port43: whois.arin.net
    Remark:
      Title: Registration Comments
      Description: *** The IP addresses under this Org-ID are in use by Google Cloud customers ***
      Description:
      Description: Direct all copyright and legal complaints to
      Description: https://support.google.com/legal/go/report
      Description:
      Description: Direct all spam and abuse complaints to
      Description: https://support.google.com/code/go/gce_abuse_report
      Description:
      Description: For fastest response, use the relevant forms above.
      Description:
      Description: Complaints can also be sent to the GC Abuse desk
      Description: (google-cloud-compliance@google.com)
      Description: but may have longer turnaround times.
      Description:
      Description: Complaints sent to any other POC will be ignored.
    Link: https://rdap.arin.net/registry/entity/GOOGL-2
    Link: https://whois.arin.net/rest/org/GOOGL-2
    Event:
      Action: last changed
      Date: 2019-11-01T05:34:25-04:00
    Event:
      Action: registration
      Date: 2006-09-29T16:40:11-04:00
    Role: registrant
    vCard version: 4.0
    vCard fn: Google LLC
    vCard kind: org
    Entity:
      Handle: GCABU-ARIN
      Port43: whois.arin.net
      Remark:
        Title: Unvalidated POC
        Description: ARIN has attempted to validate the data for this POC, but has received no response from the POC since 2022-04-09
      Link: https://rdap.arin.net/registry/entity/GCABU-ARIN
      Link: https://whois.arin.net/rest/poc/GCABU-ARIN
      Event:
        Action: last changed
        Date: 2021-04-09T11:46:04-04:00
      Event:
        Action: registration
        Date: 2011-03-30T00:36:28-04:00
      Role: abuse
      Role: noc
      vCard version: 4.0
      vCard fn: GC Abuse
      vCard org: GC Abuse
      vCard kind: group
      vCard email: google-cloud-compliance@google.com
      vCard tel: +1-650-253-0000
    Entity:
      Handle: ZG39-ARIN
      Status: validated
      Port43: whois.arin.net
      Link: https://rdap.arin.net/registry/entity/ZG39-ARIN
      Link: https://whois.arin.net/rest/poc/ZG39-ARIN
      Event:
        Action: last changed
        Date: 2024-11-11T04:27:09-05:00
      Event:
        Action: registration
        Date: 2000-11-30T13:54:08-05:00
      Role: administrative
      Role: technical
      vCard version: 4.0
      vCard fn: Google LLC
      vCard org: Google LLC
      vCard kind: group
      vCard email: arin-contact@google.com
      vCard tel: +1-650-253-0000
  Link: https://rdap.arin.net/registry/ip/34.64.0.0
  Link: https://whois.arin.net/rest/net/NET-34-64-0-0-1
  Event:
    Action: last changed
    Date: 2018-09-28T10:45:41-04:00
  Event:
    Action: registration
    Date: 2018-09-28T10:45:37-04:00
  cidr0_cidrs:
    v4prefix: 34.64.0.0
    length: 10

The RDAP information could be cached so that the start and end addesses, registered owner and country can be used for further traffic without requiring further calls, only upon reboot for example would be cache be cleared
#13
25.1, 25.4 Legacy Series / Re: 25.1.8_1 Kea DHCPv4 and DHCPv6 still issues
July 08, 2025, 10:56:44 AM
Since upgrading to 25.1.10 Kea is providing IPv4 and IPv6 addresses without a problem, so I have stopped using ISC DHCP
#14
25.1, 25.4 Legacy Series / Re: 25.1.6_2 and 25.1.6_4 problem with Kea DHCPv4/DHCPv6 dual operation
July 08, 2025, 10:55:12 AM
Since upgrading to 25.1.10 Kea is providing IPv4 and IPv6 addresses without a problem, so I have stopped using ISC DHCP
#15
25.1, 25.4 Legacy Series / 25.1.8_1 Kea DHCPv4 and DHCPv6 still issues
June 18, 2025, 10:30:32 AM
Hi,
Upgraded to 25.1.8_1 and tried replacing ISC DHCPv4 and DHCPv6 with Kea DHCPv4 and DHCPv6.
When Kea DHCPv4 is configured with a RAW socket type, then I can see the DHCP interactions for both IPv4 and IPv6 on one VLAN but not the other, when I configure Kea DHCPv4 with a UDP socket then I can see DHCPv6 interactions but no DHCPv4 entries and my client does not obtain an IPv4 address. While my client can appear to renew its IPv6 address, the IPv4 address renewal fails.
My client on another VLAN there is no interaction recorded in the logs for IPv6 or IPv4 with the socket configured as RAW or UDP..
When I stop and start the Kea DHCPv4 service the logs report that it is the DHCPv6 service that has been restarted, should it report that DHCPv4 service has restarted?
Pages1 2